thesis/chap-GS-background.tex

\chapter{Dynamic Group Signatures} \label{ch:gs-background}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}

In this Part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions.
An implementation is available and the timing are detailed in \cref{ch:sigmasig}.

The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
This construction has been the first fully secure group signature scheme from lattices.

Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions.

\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} 

This section recalls the syntax and the security definitions of dynamic  group signatures based on the model of Kiayias and Yung~\cite{KY06}.

A \emph{group signature}  allows a group member to
attest that a message was provided by a member of a \emph{group} without being
altered during the process and preserving the \emph{anonymity} of the users.
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03}
in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang
({BSZ}) in 2005~\cite{BSZ05}.


\begin{figure}
  \centering
  \begin{tikzpicture}
    \node (GM) {Group manager};
    \node[right=of GM] (User) {User $i$};
    \node[right=of User] (OA) {Opening Authority};
    \node[below=of User] (M) {$\sigma$, M};
    \node[right=of M] (Other) {Anyone};
    \node[above=of User] (Setup) {Trusted Setup};

    \draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User);
    \draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M);
    \draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M);
    \draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M);
    \draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM);
    \draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA);
  \end{tikzpicture}
  \caption{Relations between the protagonists in a dynamic group signature
  scheme}
  \label{fig:relations}
\end{figure}

In the setting of \emph{dynamic groups}, the syntax of group signatures includes
an interactive protocol which allows users to register as new members of the
group at any time. The syntax and the security model are those defined by
Kiayias and Yung~\cite{KY06}.
Like the very similar {BSZ} model~\cite{BSZ05}, the Kiayias-Yung
({KY}) model assumes an interactive \emph{join} protocol whereby a
prospective user becomes a group member by interacting with the group manager.
This protocol provides the user with a membership certificate, $\crt_i$, and a
membership secret, $\scr_i$.

%\paragraph{Syntax.}
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
\begin{definition}[Dynamic Group Signature]
  A \emph{dynamic group signature} scheme consists of the following algorithms
  or protocols.

  \begin{description}
    \item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$
      and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm
      is run by a trusted party to generate a group public key $\mathcal{Y}$,
      the group manager's private key $\mathcal{S}_{\GM}$ and the opening
      authority's private key $\mathcal{S}_{\OA}$. Each key is given to the
      appropriate authority while $\mathcal{Y}$ is made public. The algorithm
      also initializes a public state $St$ comprising a set data structure
      $St_{\users}=\emptyset$ and a string data structure $St_{\trans}=
      \epsilon$.\\
      In the following, all algorithms have access to the public parameters
      $\gspk$.
%
    \item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager
      GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
      The protocol involves two interactive Turing machines $\join_{\user}$ and
      $\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution
      $\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,
      ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,
      that no one else knows, and a membership certificate $\crt_{i }$. If the
      protocol is successful, the group manager updates the public state $St$ by
      setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as
      $St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$.
%
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$
%that identifies the users to be revoked.
%It outputs an updated revocation list $RL_t$ for period $t$.
%%
    \item[\textsf{Sign($\crt_i, \scr_i, M$)}:] given
%a revocation period $t$ with its revocation list $RL_t$,
      a membership certificate $\crt_{i }$, a membership secret $\scr_{i }$ and
      a message $M$, this \emph{probabilistic} algorithm outputs
      %$\perp$ if $i \in \mathcal{R}_t$ and
      a signature $\sigma$.
%
    \item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
%a revocation period $t  $, the corresponding revocation list $RL_t$,
      a message $M$ and a group public key $\mathcal{Y}$, this
      \emph{deterministic} algorithm returns either $0$ or $1$.
%
    \item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
      message $M$, a valid signature $\sigma$ w.r.t.
      $\mathcal{Y}$ %for the indicated revocation period $t$
      , the opening authority's private key $\mathcal{S}_{\OA}$ and the public
      state $St$.
      It outputs  $i \in St_{\users} \cup \{ \bot \}$, which is the identity of
      a group member or a symbol indicating an opening failure.
%
  \end{description}
  Each membership certificate contains a unique \emph{tag} that identifies the user.
\end{definition}

The correctness requirement basically captures that, if all parties
\emph{honestly} run the protocols, all algorithms are correct with respect to
their specification described as above.

%As mentioned in section~\ref{sec:art}
The Kiayias-Yung model~\cite{KY06} considers three security notions: the security against \textit{misidentification attacks} requires that, even if the adversary
can introduce users under its control in the group, it cannot produce a signature that traces outside the set of dishonest users. The notion of security against
\textit{framing attacks} implies that honest users can never be accused of having signed messages that they did not sign, even if the whole system conspired
against them. And finally the \textit{anonymity} property is also formalized by granting the adversary access to a signature opening oracle as in the models of~\cite{BSZ05}.

\paragraph{Correctness for Dynamic Group Signatures.}
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a
Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said
to \textit{extend} another state $St$ if it is within reach from $St$.

Moreover, as in \cite{KY06}, when we write
$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
public state $St'$, the execution of the interactive protocol
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$
provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.

\begin{definition}[Correctness]
  A dynamic group signature scheme is correct if the following conditions are
  all
  satisfied:
%
  \begin{enumerate}[(1)]
%
    \item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and
      two distinct entries of $St_{trans}$ always contain certificates with
      distinct tag.
%
    \item If
      $[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$
      is run by two honest parties following the protocol and  
      $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then 
      we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.
%
    \item For each %revocation period $t$ and any
      $\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }
      \leftrightharpoons_{\mathcal{Y}}  \scr_{i }$, satisfying condition 2, we have 
      $ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i
      },M),M,\mathcal{Y}\big)=1$. 
%
    \item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of   $[\join_{\user}(.,.  ),\join_{\GM}(.,St,.,. )]$ for some valid  
      $St$,
      if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then
       $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ 
%
  \end{enumerate}
  %
\end{definition}

\section{Associated Security Notions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Notions de sécurité associées}

\subsection{Oracles for Security Experiments}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Oracles nécessaires à la définition des expériences de sécurité}

We formalize security properties via experiments where the adversary
interacts with a stateful interface $\mathcal{I}$ that maintains the following
variables:
%
\begin{itemize}
%
  \item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
    state of  the interface as the adversary invokes the various oracles
    available in the attack games. It is initialized as
    $\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM},
    %\linebreak[4]
    \mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
    It includes the (initially empty) set $St_{users}$ of group members and a
    dynamically growing database $St_{trans}$ storing the transcripts of
    previously executed join protocols.
%Finally,
%$\mathsf{state}_{\mathcal{I}}$  includes a counter
%$t$ (which is initialized to $0$) indicating the number of user revocation
%queries so far.
  \item $n=|St_{users}|<\Ngs$ denotes  the current cardinality of the group.
%
  \item $\mathsf{Sigs}$: is a database of signatures created by the signing
    oracle.  Each entry consists of a triple $(i,M,\sigma)$ indicating that
    message $M$ was signed by user $i$.
%
  \item $U^a$: is the set of users that were introduced by the adversary in the
    system in an execution of the join protocol.
%
  \item $U^b$: is the set of honest  users  that   the adversary, acting as a
    dishonest group manager, introduced in the system. For these users, the
    adversary obtains the transcript of the join protocol but not the   user's
    membership secret.
%
\end{itemize}

\noindent In attack games, adversaries are granted access to the
following oracles:

\begin{itemize}
%
  \item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
    these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
    returns   the group public key $\mathcal{Y}$,   the GM's private key
    $\mathcal{S}_{\GM}$ and the opening authority's private key
    $\mathcal{S}_{\OA}$ respectively.
%
  \item $Q_{\ajoin}$: allows the adversary to introduce  users under its control
    in the group. On behalf of the GM, the interface runs  $\join_{\GM}$ in
    interaction with the $\join_{\user}$-executing adversary who plays the role of
    the prospective user in the join protocol. If this protocol successfully
    ends, the interface increments $n$, updates $St$ by inserting the new user
    $n$ in both sets $St_{users}$ and $U^a$. It also sets
    $St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$.
%
  \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
    to introduce new honest group members of its choice. The interface
    triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
    interaction with the adversary who runs $\join_{\GM}$. If the protocol
    successfully completes, the interface increments $n$, adds user $n$  to
    $St_{users}$ and $U^b$ and     sets $St_{\trans}:=St_{\trans} || \langle n,
    \transcript_n \rangle$. It stores the   membership certificate $\crt_{n  }$
    and the membership secret $\scr_{n }$ in a \textit{private} part of
    $\mathsf{state}_{\interface}$.
%
  \item $Q_{\mathsf{sig}}$: given a message $M$,  an index $i$, the interface
    checks whether the private area of $\mathsf{state}_{\interface}$ contains a
    certificate $\crt_{i }$ and a membership secret $\scr_{i }$.    If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the
    interface returns $\bot$.  Otherwise, it outputs a signature $\sigma$ on
    behalf of user
    $i$ 
    and  also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$.
%
  \item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
    pair $(M,\sigma)$,
    the interface runs  algorithm $\mathsf{Open}$ using the current state $St $.
    When $S$ is a set of pairs of the form $(M,\sigma)$,
    $Q_{\mathsf{open}}^{\neg S}$ denotes a restricted  oracle that only applies
    the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
%
  \item $Q_{\mathsf{read}}$ and $Q_{\mathsf{write}}$: are used by  the adversary
    to read and write  the content of $\mathsf{state}_{\interface}$. At each
    invocation,  $Q_{\mathsf{read}}$ outputs the whole $\mathsf{state}_{\interface}$ but
    the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
    membership secrets are stored after $Q_{\bjoin}$-queries. By using
    $Q_{\mathsf{write}}$,  the adversary can modify $\mathsf{state}_{\interface}$ at
    will as long as it does not  remove or alter elements of $St_{users}$,
    $St_{trans}$ or invalidate the public state $St$: for example, the adversary
    is allowed to create dummy users  as long as it does not re-use already
    existing certificate tags.

\end{itemize}

\noindent Based on the above syntax,  the   
security properties are formalized as follows.

\subsection{Security Against Misidentification Attacks}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte}
\label{sec:RGSdefsecMisId}

\begin{figure}[H]
  \centering
  \procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
    \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
    \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
    (M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
    Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
    \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
    \pcind \pcreturn{0}\\
    i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\
    \pcif i \not\in U^a \pcthen \\
    \pcind\pcreturn{1}\\
    \pcelse\\
    \pcind \pcreturn 0
  }
  \caption{Experiment for security against misidentification attacks.}
  \label{exp:mis-id}
\end{figure}

In a misidentification attack, the adversary can corrupt the opening authority
using the $Q_{\mathsf{keyOA}}$ oracle and introduce
malicious users in the group via $Q_{\ajoin}$-queries. 
It aims at producing a valid signature $\sigma^\star$ that does not open to any
adversarially-controlled user.


\begin{definition} \label{def:mis-id}
  A dynamic group signature scheme is secure against \emph{misidentification
  attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$
  described in Figure~\ref{exp:mis-id}, we have:
  \[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq 
    \Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} =
  \negl[\lambda].\]
\end{definition}
 


\subsection{Non-Frameability}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées}
\label{sec:RGSdefsecMonFrame}

\begin{figure}[H]
  \centering
  \procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
    \mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
    \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
    (M^\star,\sigma^\star)
    \gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
      Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
    Q_{\mathsf{sig}},	Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
    \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
    \pcind \pcreturn 0 \\
    \pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
    \mathcal{Y},St') \not \in U^b \pcthen\\
    \pcind \pcreturn 0\\
    \pcif 
    \bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
    \not\in \mathsf{Sigs} \pcthen \\
    \pcind \pcreturn 1\\
    \pcelse \\
    \pcind\pcreturn 0
  }
  \caption{Experiment for security against framing attacks.} \label{exp:frame}
 \end{figure}

Framing attacks consider the situation where the entire system  is colluding against some honest user.
The adversary can corrupt the group manager as well as the opening authority
(via oracles $Q_{\mathsf{key}\GM}$ and $Q_{\mathsf{key}\OA}$, respectively).
It can also introduce honest group members (via
$Q_{\bjoin}$-queries), observe the system while these users sign messages   and
create dummy users using $Q_{\mathsf{write}}$. %In addition, before the
%possible corruption of the group manager, the adversary can revoke
%group members at any time by invoking the $Q_{\mathsf{revoke}}$
%oracle. As a potentially corrupted group manager, $\A$ is allowed to
%come up with his/her own revocation list $RL_{t^\star}$ at the end of the game.
%We assume that anyone can publicly verify that $RL_{t^\star}$ is
%correctly formed ({\it i.e.}, that it could be a legitimate output of
%$\mathsf{Revoke}$) so that the adversary does not come up with
%an ill-formed revocation list.
%For consistency, if $\A$ chooses not to corrupt the GM, the produced
%revocation list $RL_{t^\star}$ must be the one determined by the history
%of $Q_{\mathsf{revoke}}$-queries.
The adversary eventually aims at framing an honest group member.

\begin{definition} \label{def:frame}
%
  A dynamic group signature scheme is secure against \emph{framing attacks} if,
  for any $\ppt$ adversary $\adv$ involved in the experiment~$\Exp{\mathrm{fra}}{\adv}(\lambda)$ described Figure~\ref{exp:frame}), it holds that
  \[ \advantage{\adv}{\mathrm{fra}}(\lambda)=\Proba{\Exp{\mathrm{fra}}{\adv}(\lambda)=1} \in \negl[\lambda]. \]
%

\end{definition}

\subsection{Full Anonymity}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet}
\label{sec:RGSdefsecAnon}

\begin{figure}[H]
  \centering
  \procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
    \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
    \gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
    \big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
    (\scr_{1}^\star,\crt_{1}^\star )\big)
    \gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
  %Q_{\mathsf{revoke}},
    Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
  %\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit}
  %{\Return \bot\\}
  %\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
    \pcif
    \neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star)
      \wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star)
    \wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
    \pcind\pcreturn \bot\\
  %Pick random d \gets \bit;
    \sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star,
    \scr_{d}^\star,M^\star)\\
    d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
      Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},
    Q_{\mathsf{read}},Q_{\mathsf{write}})\\
    \pcreturn d';
%  \If{d'=d}{\Return 1;}
%  \Return 0\;
  }
  \caption{Security experiments for (full-)anonymity game.} \label{exp:anon}
\end{figure}

The notion of anonymity is formalized by means of a game involving a two-stage
adversary. The first stage is called $\mathsf{play}$ stage and allows the
adversary $\adv$ to modify $\mathsf{state}_{\interface}$ via $Q_{\mathsf{write}}$-queries
and open arbitrary signatures by probing $Q_{\mathsf{open}}$.  When the
$\mathsf{play}$ stage ends, $\adv$ chooses a message $M^\star$ as well as two
pairs $(\scr_{0}^\star,\crt_{0}^\star)$ and $(\scr_{1}^\star,\crt_{1}^\star )$,
consisting of a valid membership certificate and a corresponding membership
secret.  Then, the challenger flips a coin $d \gets \bit$ and computes a
challenge signature $\sigma^\star$ using $(\scr_{d}^\star,\crt_{d}^\star)$.  The
adversary is given $\sigma^\star$ with the task of eventually guessing the bit
$d \in \bit$. Before doing so, it is allowed further oracle queries
throughout the second stage, called \textsf{guess} stage, but is restricted not
to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$.

\begin{definition} \label{def:anon}
%
A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary
$\adv$
in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible:  
  \[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq
  \left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\]

%
\end{definition}



%One can wonder why the \emph{revocation} is not in the \emph{dynamic group
%signature scheme} description, the reason is only pragmatic. It is a different
%problem to build a scheme that allows to revoke a group member than a scheme
%that allows inserting a group member~\cite{DP06}, and it has to be done in a
%case-by-case fashion.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%